I've got a bit of an ordering question. As part of my Pulumi run, I create a CloudFormation Stack. One of the things that stack creates is an IAM Role. I want to get the name of that Role using

pulumi_aws.iam.get_role

(using Python, FWIW) in order to grant it permission to access an S3 bucket. The stack creation and permission granting are currently in the initialization of a Component Resource. As I was developing my application, I started out with just the CloudFormation stack, and only later added this permission granting step. Because of this, the CloudFormation stack (and thus the Role) already existed by the time I added the

get_role

call. Now, however, I am creating a new instance of my Pulumi stack from scratch, and nothing exists. I had assumed that my

get_role

call would be fine, given that I'm using the Outputs of the CloudFormation stack, e.g.

queue_instance_role = aws.iam.get_role(
                name=self.cf_stack.outputs["InstanceRoleName"],
            )

but this apparently isn't sufficient; I'm getting the following error:

Exception: invoke of aws:iam/getRole:getRole failed: Missing required argument: The argument "name" is required, but no definition was found. ()

This is on Pulumi 2.25.2. Is there a way to force this

get_role

call to wait until the CloudFormation stack is created before being invoked? Thanks.

you keep using the word

Stack

- do you mean the pulumi concept of a Stack? Like is all of this occurring in one pulumi stack? Do you need to

get_role

? Is the role created further up in the stack with like:

var role = new Aws.Iam.Role("role", ...);

And if it is, is the name you want a pulumi output on that object, like

role.RoleName

? And if it isn't can you provide the role ARN on the new policy instead of the name? Since that is definitely an output.

One of the resources in my Pulumi stack is a Cloudformation stack, the definition of which I am consuming from a 3rd party. One of the things that Cloudformation stack creates is an IAM Role. One of the Cloudformation stack outputs is the name of that role. Cloudformation outputs are exposed in Pulumi as outputs of the Cloudformation stack resource. To do additional infrastructure setup with additional Pulumi resources, I need to refer to that IAM role name. In everything else I do in Pulumi, the fact that the information is a Pulumi Output handles the necessary dependency ordering just fine. Here, that does not appear to be the case. My questions are: "_why_ is this not the case?" and "is there another way of formulating my Pulumi code to deal with this scenario?"

I still don't think you should be doing

get_role

. That is why the ordering is broken. Can you link me reference for the 3rd party Cloudformation stack definition?

ok now I'm even more confused that you linked me a big yaml file. I thought you said you were using pulumi python? Is the "Cloudformation stack" part of the same pulumi stack? From your description I thought it was a ComponentResource provided by a 3rd party.

That's the 3rd party Cloudformation stack

Right - but it's YAML. So how is it part of the same pulumi stack as your python stack? can you share your python code?

I'm using this: https://www.pulumi.com/docs/reference/pkg/aws/cloudformation/stack/#template_url_python

ok that makes sense thank you. and

cloudformation.stack.outputs

has a role name that you are using?

Yes:

queue_instance_role = aws.iam.get_role(
    name=self.cf_stack.outputs["InstanceRoleName"],
)

my question is - why do you need to get role?

the name is generated in the stack execution, and I'd rather not have to rely on internal knowledge of how that stack executes in order to get the name elsewhere.

I'm confused by that statement. Can you share the code where you are creating the S3 policy?

Yes, I need the name of the role. I can just look into the Cloudformation stack definition and figure out how it pieces the name of that role together (as it turns out, it's not terribly complicated). While that is workable, it's only because the name (in this particular case) doesn't (currently!) include any randomly-generated content (like Pulumi does by default, with e.g. "foo-Role-abc123"). More broadly, I'm pretty sure that the role must exist in order for a RolePolicy to be attached to it, and the only way I can be sure it exists is to create the Pulumi resources that depend on that Role after that Role has been created. I was under the impression that because that name is exposed by the Cloudformation Stack as a Pulumi Output, this ordering would be taken care of by Pulumi. But it does not appear to be the case.

I really need to see your code in order to help you any further man, I'm sorry. I must really be missing something because I don't understand why you cannot use the name that you have.

I guess the answer is that

get_role

expects a

str

and not an

Output[str]

... presumably if the latter were true, this would work.

well that's my question, you don't need to get the role first if you already have the information you need, right?

It should be, yes: https://www.pulumi.com/docs/reference/pkg/aws/cloudformation/stack/#outputs_python.

so what property do you need from the

Aws.Iam.Role

that is returned by

get_role

?

Since it is only the name I need, I'm just going to restructure the code of the policy document to use the Cloudformation stack output directly. I had been trying to be more object-oriented in how I was writing this code, but that doesn't look like it's going to work in this case.

I mean, you're not being less object-oriented by not using

get_role

I don't think.

Get_role

is just meant to be used to retrieve resources that don't belong to your stack, which is why it wasn't waiting for the role to be created.. because it assumes it exists outside your stack